From 9ea463ba11aa3b63794efef005d30cdff25e43f6 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Fri, 19 Jun 2026 17:42:34 -0500
Subject: [PATCH] deploy(irc): enable readonly UnrealIRCd RPC on GX10

---
 apps-gx10/irc/irc.yaml | 48 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 45 insertions(+), 3 deletions(-)

diff --git a/apps-gx10/irc/irc.yaml b/apps-gx10/irc/irc.yaml
index 145a240..338a5ae 100644
--- a/apps-gx10/irc/irc.yaml
+++ b/apps-gx10/irc/irc.yaml
@@ -4,7 +4,8 @@
 #
 # GX10 adaptations vs OLD bluejay-infra/apps/irc/irc.yaml:
 #   - OnePasswordItem REPLACED by directly-copied Secrets (no OnePassword operator on GX10).
-#     irc-credentials is applied separately; cloak keys are injected from unrealircd-cloak-keys.
+#     irc-credentials and unrealircd-rpc-credentials are applied separately; cloak keys
+#     are injected from unrealircd-cloak-keys.
 #   - unrealircd image -> localhost/fc-unrealircd:6.1.9.1-arm64 (built on GX10 from
 #     DjLegolas/unrealircd-docker, alpine:3.19 base, UnrealIRCd 6.1.9.1 from source;
 #     djlegolas/unrealircd:6.1.9.1 on Docker Hub is amd64-ONLY -> would crashloop on arm64).
@@ -587,6 +588,7 @@ data:
     /* Credentials injected from copied K8s secret at pod startup */
 
     include "modules.default.conf";
+    include "rpc.modules.default.conf";
     include "help/help.conf";
     include "operclass.default.conf";
     include "snomasks.default.conf";
@@ -636,6 +638,12 @@ data:
       port 6667;
     }
 
+    listen {
+      ip *;
+      port 8600;
+      options { rpc; }
+    }
+
     listen {
       ip *;
       port 6697;
@@ -658,6 +666,12 @@ data:
       class opers;
     }
 
+    rpc-user flowercore-readonly {
+      match { ip 10.42.*; }
+      password "__RPC_PASSWORD__";
+      rpc-class readonly;
+    }
+
     drpass {
       restart "__OPER_PASSWORD__";
       die "__OPER_PASSWORD__";
@@ -1014,11 +1028,13 @@ spec:
           args:
             - |
               OPER_PW=$(cat /secrets/password)
+              RPC_PW=$(cat /rpc-secrets/password)
               LINK_PW=$(cat /secrets/Link-Password)
               CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
               CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
               CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
               sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
+                   -e "s|__RPC_PASSWORD__|${RPC_PW}|g" \
                    -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
                    -e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
                    -e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
@@ -1029,6 +1045,9 @@ spec:
             - name: irc-credentials
               mountPath: /secrets
               readOnly: true
+            - name: unrealircd-rpc-credentials
+              mountPath: /rpc-secrets
+              readOnly: true
             - name: unrealircd-cloak-keys
               mountPath: /cloak-secrets
               readOnly: true
@@ -1067,6 +1086,8 @@ spec:
               name: irc-tls
             - containerPort: 8067
               name: services-link
+            - containerPort: 8600
+              name: rpc
           volumeMounts:
             - name: injected-config
               mountPath: /app/conf/unrealircd.conf
@@ -1090,6 +1111,9 @@ spec:
         - name: irc-credentials
           secret:
             secretName: irc-credentials
+        - name: unrealircd-rpc-credentials
+          secret:
+            secretName: unrealircd-rpc-credentials
         - name: unrealircd-cloak-keys
           secret:
             secretName: unrealircd-cloak-keys
@@ -1263,7 +1287,7 @@ spec:
           configMap:
             name: thelounge-flowercore-theme
 ---
-# UnrealIRCd internal Service (anope uplink 8067 + in-cluster 6667 for thelounge)
+# UnrealIRCd internal Service (anope uplink 8067 + in-cluster 6667 for thelounge + in-cluster JSON-RPC)
 apiVersion: v1
 kind: Service
 metadata:
@@ -1282,6 +1306,9 @@ spec:
     - port: 8067
       targetPort: 8067
       name: services-link
+    - port: 8600
+      targetPort: 8600
+      name: rpc
 ---
 # UnrealIRCd external LoadBalancer — exposes IRC TCP 6667/6697 on the GX10 PROD MetalLB pool.
 # (Replaces OLD's Traefik irc/irctls entryPoints; GX10 Traefik has no such entryPoints.)
@@ -1394,7 +1421,7 @@ spec:
         fsGroupChangePolicy: OnRootMismatch
       containers:
         - name: web
-          image: localhost/fc-irc-web:v20260619-irc2-trust-010f526
+          image: localhost/fc-irc-web:v20260619-irc-r1-rpc-01f67be
           imagePullPolicy: Never
           ports:
             - containerPort: 5080
@@ -1422,6 +1449,21 @@ spec:
               value: "irc.iamworkin.lan"
             - name: FlowerCore__IRC__ServerManagement__TlsPort
               value: "6697"
+            - name: FlowerCore__IRC__ServerManagement__RpcEnabled
+              value: "true"
+            - name: FlowerCore__IRC__ServerManagement__RpcBaseUrl
+              value: "http://unrealircd.irc.svc.cluster.local:8600"
+            - name: FlowerCore__IRC__ServerManagement__RpcPath
+              value: "/api"
+            - name: FlowerCore__IRC__ServerManagement__RpcUsername
+              value: "flowercore-readonly"
+            - name: FlowerCore__IRC__ServerManagement__RpcPassword
+              valueFrom:
+                secretKeyRef:
+                  name: unrealircd-rpc-credentials
+                  key: password
+            - name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel
+              value: "true"
             - name: FlowerCore__Mcp__ServiceName
               value: "fc-irc"
             - name: FlowerCore__Mcp__RoutePath